In a secure environment, it is possible to send the requester identity
without credentials with other trusted credentials such as the server identity.
Before you begin
Prior to completing this task, you must import your application into
an assembly tool.
For information on how to import
your application, see Importing
enterprise applications.
About this task
Identity assertion is one of the WebSphere Application Server Version
6.0.
x and later enhancements, but it must be used in a secured environment
such as a Virtual Private Network (VPN) or HTTPs. With identity assertion,
WebSphere Application server supports the following types of trust modes:
- None
- Specifies that a trusted credential is not attached to the Simple Object
Access protocol (SOAP) message
- BasicAuth
- Specifies that a username token with a user name and a password is used
as a trusted credential
- Signature
- Specifies that an X.509 certificate security token is used in the digital
signature
The specific configuration for identity assertion is necessary
on the consumer side in a service configuration only. On the generator side,
you need to configure two token generators in a client configuration: one
for a requester token and one for a token of a trusted party.
Complete
the following steps to configure an application for identity assertion. You
must configure both the consumer and the generator to complete the configuration.
Procedure
- Start the assembly tool.
- Switch to the Java 2 Platform, Enterprise Edition (J2EE) perspective.
Click Window > Open Perspective > J2EE.
- Expand the Web Services > Services section in the Project Explorer
and double-click the name of the Web service.
- Click the Extensions tab and expand the Response Consumer
Service Configuration Details > Caller Part section to configure the caller
token.
- Configure the caller token for the consumer. Complete
the following steps to configure the caller token for the consumer:
- Click Add to configure the caller part. The
Caller Part Dialog window is displayed. In this window, configure both a token
that is used as a caller (requester) credential and a token for the trusted
party.
- Specify a name for the caller token in the Name field.
- Select the type of caller token in Token type field. For
example, you can select Username if a username token is used as the
caller token. When you select the token type, the Local name is automatically
specified.
- Optional: If you select the Custom token in
the Token type field, you must specify the Local name and the Uniform Resource
Identifier (URI) of the custom token. The URI field is used only for a custom
token.
- Optional: If the caller token is also used as a
certificate of a required integrity or confidentiality part, select the name
of the part in Integrity or Confidentiality part field. The list
contains the names of the integrity and confidentiality parts that are defined
in the Required Integrity and Required Confidentiality sections for the consumer.
For example, when an X.509 certificate token is used for both a caller token
and a signature certificate of the body element, you can select X.509 certificate
token in the Token type field and select reqint_body1 in Integrity
or Confidentiality part field. This example assumes that reqint_body1 is
a required integrity configuration.
- Configure a trusted party token for the consumer. Complete
the following steps to configure the trusted party token:
- Select the Use IDAssertion option to associate a trust
method with this caller and to verify an asserted identity from the intermediary
(caller).
- Select the name of the trust method in the Trust method name
field. The following selections are supported:
- None
- Select this option to specify that a trusted credential is not attached
to the SOAP message.
- BasicAuth
- Select this option to specify that a username token with a user name and
password is used as a trusted credential.
- Signature
- Select this option to specify that an X.509 certificate security token
is used in the digital signature.
When you select either BasicAuth or Signature, the URI and
the Local name fields are automatically specified.
- Optional: Select a name of an integrity or confidentiality
part in the Integrity or Confidentiality part field if you require digital
signature or encryption by the trusted party token. For example,
if you select Signature in the Trust method name field and you require
that the trusted party token signs the body element, select reqint_body2 in
Integrity and Confidentiality part field. This example assumed that reqint_body2 is
a required integrity configuration.
- Optional: If you select BasicAuth or Signature in
the Trust method name field, specify a trusted ID evaluator in Token Consumer
Dialog window of the binding configuration. Complete the following
steps to specify a trusted ID evaluator:
- Click Binding Configurations in the Web services editor.
- Expand the Token Consumer section and click Add.
- Click the Use trusted ID evaluator option.
- Specify a class name in the Trusted ID evaluator class field.
The class implements the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator
interface and validates a trusted party token. WebSphere Application Server
provides the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl class, which
is a sample implementation of the TrustedIDEvaluator interface. If you use
this class, specify com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl in
Trusted ID evaluator class field and click Add to add the following
trusted ID evaluator property:
- In the name field, specify trustedid
- In the value field, specify CN=Alice,O=IBM,C=US
The value of the property is the distinguished name (DN) of the username
or X.509 certificate token of the trusted party token.
- Click OK to save the configuration.
- Expand the Web Services > Client section in the Project Explorer
and double-click the name of the Web service.
- Click the WS Extension tab and expand the Request Generator
Configuration > Security Token section.
- Specify the caller token for the generator. Do not specify
a token in the required token if the token is used for signing or encryption.
However, you must specify a token in the required token for a stand-alone
token. A stand-alone token is a token that is not used for signing or encryption.
When the caller token type is a username token or an X.509 certificate token
and it is not used for signing or encryption, specify a security token for
this caller token.
- Click Add to configure a security token.
- Specify a name for the caller token in the Name field.
- Select either the Username or X.509 certificate token option
in the Token type field. After you select one of these two options,
a value for the Local name field is automatically defined.
- Click OK to save the configuration.
- Click the WS Binding tab and expand the Security Request
Generator Binding Configuration > Token Generator section.
- Click Add and add the token generator configuration for
the caller token.
- Click OK to save the configuration.
- Configure the trusted party token. When the trust mode,
which was specified previously, is None only the caller token is attached
and you do not need to specify the security token of the trusted party. When
the trust mode is BasicAuth or Signature you need to specify a username token
or an X.509 certificate token of the trusted party token. However, if the
X.509 certificate token of trusted party is used for digital signing or encryption
as well, you do not need to specify the security token of the trusted party.
Complete the following steps to configure the trusted party token:
- Expand the Web Services > Client section in the Project Explorer
and double-click the name of the Web service.
- Click the WS Extension tab and expand the Request Generator
Configuration > Security Token section.
- Click Add to configure a security token.
- Specify a name for the trusted party token in the Name field.
- Select either the Username or X.509 certificate token option
in the Token type field. After you select one of these two options,
a value for the Local name field is automatically defined.
- Click OK to save the configuration.
- Click the WS Binding tab and expand the Security Request
Generator Binding Configuration > Token Generator section.
- Click Add and add the token generator configuration for
the trusted party token.
- Click OK to save the configuration.
What to do next
Your environment is configured for identity assertion.